media: saa7146: fix array overflow in vidioc_s_audio() (420959db) · Commits · e / devices / android_kernel_fairphone_FP3

[ Upstream commit 8e4d86e241cf035d6d3467cd346e7ce490681937 ] The "a->index" value comes from the user via the ioctl. The problem is that the shift can wrap resulting in setting "mxb->cur_audinput" to an invalid value, which later results in an array overflow. Fixes: ("[media] mxb: fix audio handling") Signed-off-by:

Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by:

Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by:

Mauro Carvalho Chehab <mchehab+huawei@kernel.org> Signed-off-by:

Sasha Levin <sashal@kernel.org>

drivers/media/pci/saa7146/mxb.c

+10 −9

Original line number	Diff line number	Diff line
		@@ -652,7 +652,10 @@ static int vidioc_s_audio(struct file file, void fh, const struct v4l2_audio *
		struct mxb mxb = (struct mxb )dev->ext_priv;

		DEB_D("VIDIOC_S_AUDIO %d\n", a->index);
		if (mxb_inputs[mxb->cur_input].audioset & (1 << a->index)) {
		if (a->index >= 32 \|\|
		!(mxb_inputs[mxb->cur_input].audioset & (1 << a->index)))
		return -EINVAL;

		if (mxb->cur_audinput != a->index) {
		mxb->cur_audinput = a->index;
		tea6420_route(mxb, a->index);
		@@ -661,8 +664,6 @@ static int vidioc_s_audio(struct file file, void fh, const struct v4l2_audio *
		}
		return 0;
		}
		return -EINVAL;
		}

		#ifdef CONFIG_VIDEO_ADV_DEBUG
		static int vidioc_g_register(struct file file, void fh, struct v4l2_dbg_register *reg)